1. Field of the Invention
The present invention relates to a wireless communications device. More particularly, the present invention relates to the storing of a security START value in non-volatile memory of a wireless communications device.
2. Description of the Prior Art
The 3rd Generation Partnership Project (3GPP) specifications 3GPP TS 25.331 V3.12.0 (2002–09) “Radio Resource Control (RRC) Protocol Specification” and 3GPP TS 33.102 V3.12.0 (2002–06) “Security architecture”, both of which are included herein by reference, provide technical description of a Universal Mobile Telecommunications System (UMTS), and related security protocols thereof. The UMTS discloses a device (typically a mobile device), termed user equipment (UE), in wireless communications with one or more base stations. These base stations (so-called Node Bs), with their corresponding Radio Network Controllers (RNCs), are collectively termed the UMTS Terrestrial Radio Access Network, or UTRAN for short. In general, from the standpoint of security, peer entity radio resource control (RRC) layers on the UE and UTRAN sides establish one or more radio access links with each other to exchange signaling and user data by way of RRC protocol data units (PDUs). In the following brief background, which is taken from the above-indicated document 3GPP TS 33.102, familiarity with 3GPP protocols is assumed.
Please refer to FIG. 1. FIG. 1 illustrates the use of integrity algorithm f9 to authenticate the data integrity of a signaling message. Input parameters into the f9 algorithm include an Integrity Key (IK), an integrity sequence number (COUNT-I), a random value generated on the network side (FRESH), a direction bit DIRECTION, and finally the signaling message data MESSAGE held within the RRC PDU. Based upon these input parameters, the wireless equipment computes an authentication code MAC-I for data integrity verification, by way of the integrity algorithm The MAC-I code is then appended to the corresponding signaling message when sent over the radio access link. A receiver computes XMAC-I from the received signaling message in the same manner as the sender computed the equivalent MAC-I on the sent signaling message, and verifies the data integrity of the received signaling message by comparing the receiver-side computed XMAC-I code to the received MAC-I code.
Please refer to FIG. 2. FIG. 2 is a block diagram of the data structure of the COUNT-I value depicted in FIG. 1. The integrity sequence number COUNT-I is 32 bits long. COUNT-I is composed of two parts: a “short” sequence number and a “long” sequence number. The “short” sequence number forms the least significant bits of COUNT-I, while the “long” sequence number forms the most significant bits of COUNT-I. The “short” sequence number is a 4-bit RRC sequence number RRC SN that is present in each RRC PDU. The “long” sequence number is a 28-bit RRC hyper frame number RRC HFN, which is incremented at each RRC SN cycle. That is, upon detection of rollover of the RRC SN within a RRC PDU, the RRC HFN is incremented by the RRC layer. Whereas the RRC SN is transmitted with the RRC PDU, the RRC HFN is not transmitted and is instead maintained by the peer entity RRC layers of the wireless device and the UTRAN.
The RRC HFN is initialised by means of a parameter START, which is described in section of the above-indicated document 3GPP TS 33.102. The UE, and the RNC to which the UE is assigned, then initialise the 20 most significant bits of the RRC HFN to the START value; the remaining bits of the RRC HFN are initialised to 0.
Please refer to FIG. 3. FIG. 3 illustrates the ciphering of user and signalling data over a radio access link. As with integrity checking, the input parameters into the ciphering algorithm f8 are the cipher key CK, a time dependent input COUNT-C, the bearer identity BEARER, the direction of transmission DIRECTION, and a value LENGTH, which is the length of the keystream required. Based on these input parameters the f8 algorithm generates an output keystream KEYSTREAM BLOCK, which is used to encrypt an input plaintext block PLAINTEXT to produce the output ciphertext block CIPHERTEXT. The input parameter LENGTH affects only the length of KEYSTREAM BLOCK, and not the actual bits in KEYSTREAM BLOCK.
The ciphering sequence number COUNT-C is 32 bits long. There is one COUNT-C value per up-link radio bearer and one COUNT-C value per down-link radio bearer in radio link control (RLC) acknowledged mode (AM) or RLC unacknowledged mode (UM) connections. The RLC layer lies below the RRC layer, and may be thought of as a layer-2 interface. For all transparent mode (TM) RLC radio bearers of the same core network (CN) domain, COUNT-C is the same, and COUNT-C is also the same for both the uplink and downlink TM connections.
Please refer to FIG. 4. FIG. 4 is a block diagram of the COUNT-C value of FIG. 3 for all connection modes. COUNT-C is composed of two parts: a “short” sequence number and a “long” sequence number. The “short” sequence number forms the least significant bits of COUNT-C, while the “long” sequence number forms the most significant bits of COUNT-C. The update of COUNT-C depends on the transmission mode as described below:                For RLC TM on a dedicated channel (DCH), the “short” sequence number is the 8 -bit connection frame number (CFN) of COUNTIt is independently maintained in the UE MACentity and the serving RNC (SRNC) MAC-d entity. The SRNC is the RNC to which the UE is assigned, and through which the UE communicates with the network. The “long” sequence number is the 24-bit MACHFN, which is incremented at each CFN cycle.        For RLC UM mode, the “short” sequence number is a 7-bit RLC sequence number (RLC SN), which is obtained from the RLC UM PDU header. The “long” sequence number is a 25-bit RLC UM HFN, which is incremented at each RLC SN cycle. RLC HFNs are analogous, in this respect, to RRC HFNs, but are maintained by the RLC layer in the wireless device (both on the UE side and the RNC side).        For RLC AM mode, the “short” sequence number is the 12-bit RLC sequence number (RLC SN) obtained from the RLC AM PDU header. The “long” sequence number is the 20-bit RLC AM HFN, which is incremented at each RLC SN cycle.        
The hyperframe numbers (HFNs) above are initialized by means of the parameter START, which is described in section of 3GPP TS 33.102. The UE and the RNC initialize the 20 most significant bits of the RLC AM HFN, RLC UM HFN and MACHFN to START. The remaining bits of the RLC AM HFN, RLC UM HFN and MACHFN are initialized to zero.
Authentication and key agreement, which generates cipher/integrity keys, is not mandatory at call set-up, and there is therefore the possibility of unlimited and malicious re-use of compromised keys. A mechanism is needed to ensure that a particular cipher/integrity key set is not used for an unlimited period of time, to avoid attacks using compromised keys. The USIM, which is nonvolatile memory within the UE, therefore contains a mechanism to limit the amount of data that is protected by an access link key set.
The CN is divided into two distinct and separate domains: a circuit switched (CS) domain, and a packet switched (PS) domain. Each time an RRC connection is released, the values STARTCS and STARTPS of the bearers that were protected in that RRC connection are compared with the maximum value, THRESHOLD. STARTCS is the START value used for the CS domain. STARTPS is the START value used for the PS domain. If STARTCS and/or STARTPS have reached the maximum value THRESHOLD, the UE marks the START value in the USIM for the corresponding CN domain(s) as invalid by setting the STARTCS and/or STARTPS to THRESHOLD. The UE then deletes the cipher key and the integrity key stored on the USIM, and sets the key set identifier (KSI) to invalid (refer to section of 3GPP TS 33.102). Otherwise, the STARTCS and STARTPS are stored in the USIM. START value calculation is indicated in section 8.5.9 of 3GPP TS 25.331, and is typically obtained from the most significant bits of the greatest COUNT-C or COUNT-I value within the domain. The maximum value THRESHOLD is set by the operator and stored in the USIM.
When the next RRC connection is established, START values are read from the USIM for the appropriate domain(s). Then, the UE triggers the generation of a new access link key set (a cipher key and an integrity key) if STARTCS and/or STARTPS has reached the maximum value, THRESHOLD, for the corresponding core network domain(s).
At radio connection establishment for a particular serving network domain (CS or PS) the UE sends the STARTCS and the STARTPS value to the RNC in the RRC connection setup complete message. The UE then marks the START values in the USIM as invalid by setting STARTCS and STARTPS to THRESHOLD. The purpose of doing this is to prevent unintentional reuse of START values if the UE should be turned off or otherwise incapacitated before new START values can be written back to the USIM.
In addition to the above, sections 8.3.7, 8.3.9, 8.3.11 and 8.5.2 of 3GPP TS 25.331 also indicate when to store START values in the USIM.
The 3GPP protocol enables a UE to switch over to another wireless protocol, such as a Global System for Mobile Communications (GSM) protocol, which is performed by one of various so-called Inter-Radio access technology (Inter-RAT) procedures. Please refer to FIG. 5. FIG. 5 is a simple block diagram of an Inter-RAT procedure taking place. Initially, a UE 20 has an established RRC connection 21 with a 3GPP UTRAN 10. The RRC connection 21 may be in either the CS domain 12 or the PS domain 14, though typically in any Inter-RAT procedure the RRC connection 21 will be in the CS domain 12, and so this is assumed in the following. As the UE 20 moves closer to the range of a GSM network 30, a decision may be made by the UTRAN 10 to switch the UE 20 over to the GSM network 30. When the Inter-RAT procedure completes successfully, the UE 20 will have established a connection 23 with the GSM network 30. The connection 21 with the UTRAN is subsequently dropped. Consequently, the START value within the UE 20 USIM must be updated. In this example, the STARTCS value would need to be updated within the USIM.
The START value should reflect how long a particular cipher/integrity key has been used between the UE 20 and the UTRAN 10. However, the current 3GPP protocol incorrectly handles START values during Inter-RAT handover, Inter-RAT cell reselection and Inter-RAT cell change order from UTRAN procedures. Consider, for example, the steps that the UE is to perform upon successful completion of an Inter-RAT handover, as specified by section 8.3.7.4 of 3GPP TS 25.331. These steps indicate that, regarding handling of START values, upon successfully completing the Inter-RAT handover, the UE should:
1>if the USIM is present:
2>store the current START value for every CN domain in the USIM [50];
2>if the “START” stored in the USIM [50] for a CN domain is greater than or equal to the value “THRESHOLD” of the variable START_THRESHOLD:
3>delete the ciphering and integrity keys that are stored in the USIM for that CN domain;
3>inform the deletion of these keys to upper layers.
1>if the SIM is present:
2>store the current START value for every CN domain in the UE;
2>if the “START” stored in the UE for a CN domain is greater than or equal to the value “THRESHOLD” of the variable START_THRESHOLD:
3>delete the ciphering and integrity keys that are stored in the SIM for that CN domain;
3>inform the deletion of these keys to upper layers.
As previously each time the START value is read from the USIM, the UE marks the START value in the USIM as invalid by setting that START value to the THRESHOLD value, so as to prevent unintentional reuse of the same security configuration. At radio connection establishment for a particular serving network domain (CS or PS) the UE sends the START value (CS or PS) to the RNC in the RRC connection setup complete message. If the START value is equal to THRESHOLD, the network assigns a new key set (CS or PS). Due to the manner in which the security protocols handle key synchronization, it is possible for the UE to have a new key set, while continuing to use the old key set for the RRC connection. Under this condition, the current START value will be quite high, exceeding the THRESHOLD value, despite the fact that a new key set is available. This is not accounted for by the Inter-RAT handover, Inter-RAT cell reselection or Inter-RAT cell change order from UTRAN procedures. Under these three procedures, when a new key set has been assigned, but currently unused, the UE will:
1) Determine the USIM is present,
2) Store the START value in the USIM,
3) Determine that the stored START value exceeds the THRESHOLD value,
4) Delete the ciphering and integrity keys, and
5) Inform the upper layers of this deletion.
In the above, the new key set is removed, which is wholly unnecessary. Key sets are radio resources that should be conserved, and used as efficiently as possible. Further, the above forces new key sets to be constructed. The key sets are transmitted over the radio interface, and hence unnecessary assignment of key sets is also a waste of radio resources.